正好用得着这个软件,作为初学者,参考两位大牛的文章,关键数据段搜索后,感觉这个软件先在这个数据段中走一圈,确定使用哪个版本。
这个call是在这个关键的je下面第三个call
0047481C |. /0F84 23090000 je PhotoSho.00475145
00474822 |. |E8 9992F9FF call PhotoSho.0040DAC0
00474827 |. |8BC8 mov ecx,eax
00474829 |. |E8 F2E20000 call PhotoSho.00482B20
0047482E |. |68 54DD6000 push PhotoSho.0060DD54 ; 注册信息.txt
00474833 |. |E8 E842FBFF call PhotoSho.00428B20
在一字节爆破中提到了这个call内容
00428B20 /$ 55 push ebp
00428B21 |. 8BEC mov ebp,esp
00428B23 |. 51 push ecx
00428B24 |. A1 240B6700 mov eax,dword ptr ds:[0x670B24]
00428B29 |. 8945 FC mov [local.1],eax
00428B2C |. 8B4D FC mov ecx,[local.1]
00428B2F |. 83E9 01 sub ecx,0x1
00428B32 |. 894D FC mov [local.1],ecx
00428B35 |. 837D FC 04 cmp [local.1],0x4
00428B39 |. 0F87 93000000 ja PhotoSho.00428BD2
00428B3F |. 8B55 FC mov edx,[local.1]
00428B42 FF2495 DC8B42>jmp dword ptr ds:[edx*4+0x428BDC]
00428B49 |> 68 40FD5F00 push PhotoSho.005FFD40 ; /体验版
00428B4E |. 6A 1F push 0x1F ; |Arg2 = 0000001F
00428B50 |. 68 00746700 push PhotoSho.00677400 ; |Arg1 = 00677400
00428B55 |. E8 46B21900 call PhotoSho.005C3DA0 ; \PhotoSho.005C3DA0
00428B5A |. 83C4 0C add esp,0xC
00428B5D |. EB 73 jmp short PhotoSho.00428BD2
00428B5F |> 68 48FD5F00 push PhotoSho.005FFD48 ; /冲刺版
00428B64 |. 6A 1F push 0x1F ; |Arg2 = 0000001F
00428B66 |. 68 00746700 push PhotoSho.00677400 ; |Arg1 = 00677400
00428B6B |. E8 30B21900 call PhotoSho.005C3DA0 ; \PhotoSho.005C3DA0
00428B70 |. 83C4 0C add esp,0xC
00428B73 |. EB 5D jmp short PhotoSho.00428BD2
00428B75 |> 68 50FD5F00 push PhotoSho.005FFD50 ; /题库版
00428B7A |. 6A 1F push 0x1F ; |Arg2 = 0000001F
00428B7C |. 68 00746700 push PhotoSho.00677400 ; |Arg1 = 00677400
00428B81 |. E8 1AB21900 call PhotoSho.005C3DA0 ; \PhotoSho.005C3DA0
00428B86 |. 83C4 0C add esp,0xC
00428B89 |. EB 47 jmp short PhotoSho.00428BD2
00428B8B |> 833D 5C736700>cmp dword ptr ds:[0x67735C],0x0
00428B92 |. 75 16 jnz short PhotoSho.00428BAA
00428B94 |. 68 58FD5F00 push PhotoSho.005FFD58 ; /完整版
00428B99 |. 6A 1F push 0x1F ; |Arg2 = 0000001F
00428B9B |. 68 00746700 push PhotoSho.00677400 ; |Arg1 = 00677400
00428BA0 |. E8 FBB11900 call PhotoSho.005C3DA0 ; \PhotoSho.005C3DA0
00428BA5 |. 83C4 0C add esp,0xC
00428BA8 |. EB 14 jmp short PhotoSho.00428BBE
00428BAA |> 68 60FD5F00 push PhotoSho.005FFD60 ; /题库版
00428BAF |. 6A 1F push 0x1F ; |Arg2 = 0000001F
00428BB1 |. 68 00746700 push PhotoSho.00677400 ; |Arg1 = 00677400
00428BB6 |. E8 E5B11900 call PhotoSho.005C3DA0 ; \PhotoSho.005C3DA0
00428BBB |. 83C4 0C add esp,0xC
00428BBE |> 68 68FD5F00 push PhotoSho.005FFD68 ; /高级版
00428BC3 |. 6A 1F push 0x1F ; |Arg2 = 0000001F
00428BC5 |. 68 00746700 push PhotoSho.00677400 ; |Arg1 = 00677400
00428BCA |. E8 D1B11900 call PhotoSho.005C3DA0 ; \PhotoSho.005C3DA0
00428BCF |. 83C4 0C add esp,0xC
00428BD2 |> B8 00746700 mov eax,PhotoSho.00677400
00428BD7 |. 8BE5 mov esp,ebp
00428BD9 |. 5D pop ebp
00428BDA \. C3 retn
如果这里指向的是体验版,好象是追不出注册码的,所以需要先将:
00428B42 FF2495 DC8B42>jmp dword ptr ds:[edx*4+0x428BDC]
改为
00428B42 FF2495 DC8B42>jmp 00428bbe ;既直接跳到高级版。
我用的不是爆破的方法,如上改动后,运行程序会再度进到相关数据段,我一路跟踪下来,在某个位置发现了以下内容:
0012B324 08D7D9A0 ASCII "0655131633"
0012B328 08D7D978 ASCII "5666905741"
0012B32C 08D7D9A0 ASCII "0655131633"
0012B330 08D7D978 ASCII "5666905741"
在重新运行程序,使用原序列号后,再分别用以上注册号,得到的是不同的版本。
|